Exploit Forces MSN Messenger Upgrade
Security researchers from Core Security have devised a way to crash MSN Messenger without user interaction simply by selecting a specially crafted Portable Network Graphics (PNG) file as an avatar. In response, Microsoft has begun forcing users to upgrade their software before being able to sign in to its IM network.
The exploit stems from design flaws in a component file called "libpng" that enables the viewing of avatars. Worst still, the exploit has the potential to run arbitrary code on a user's system.
Core Security also stated in its advisory that the attack can pass undetected by front line security software such as host-based firewalls, antivirus and network intrusion utilities. Essentially, the victim would have no inclination that they were being targeted and could feasibly be used to spread the exploit to everyone on their contact list.
Microsoft released a bulletin covering the vulnerability late Thursday. The company initially opted to distribute a patch through its usual channels as an optional update, but willed to take "decisive action" after it learned that the exploit was in the wild.
Now, MSN Messenger will begin to force a mandatory upgrade before users can sign into the service. Effective late Thursday evening, clients must be updated to either version 6.2.0205 or the MSN Messenger 7 preview release.
Microsoft's internal security experts found that both Windows Media Player and Windows Messenger are affected as well, including Service Pack 2 versions.